Block DES-CBC usage in decrypting PKCS#12 bag under FIPS
Resolves: #2115244 Signed-off-by: Daiki Ueno <dueno@redhat.com>
This commit is contained in:
Daiki Ueno
parent
2a096a6a85
commit
91b2da8826
58
gnutls-3.7.6-fips-pkcs12-des-cbc.patch
Normal file
58
gnutls-3.7.6-fips-pkcs12-des-cbc.patch
Normal file
@ -0,0 +1,58 @@
|
||||
From de09280b2a8314eb98ec9a2b84eebe3eec2f49bd Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <ueno@gnu.org>
|
||||
Date: Thu, 4 Aug 2022 16:37:51 +0900
|
||||
Subject: [PATCH] _gnutls_decrypt_pbes1_des_md5_data: use public crypto API
|
||||
|
||||
This is a follow-up of e7f9267342bc2231149a640163c82b63c86f1dfd. In
|
||||
the decryption code path with PBES1, algorithm checks for FIPS was not
|
||||
applied, because it used internal functions that bypass those checks.
|
||||
|
||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||
---
|
||||
lib/x509/privkey_pkcs8_pbes1.c | 10 ++++------
|
||||
1 file changed, 4 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/lib/x509/privkey_pkcs8_pbes1.c b/lib/x509/privkey_pkcs8_pbes1.c
|
||||
index c296807974..983530e46a 100644
|
||||
--- a/lib/x509/privkey_pkcs8_pbes1.c
|
||||
+++ b/lib/x509/privkey_pkcs8_pbes1.c
|
||||
@@ -140,7 +140,7 @@ _gnutls_decrypt_pbes1_des_md5_data(const char *password,
|
||||
{
|
||||
int result;
|
||||
gnutls_datum_t dkey, d_iv;
|
||||
- cipher_hd_st ch;
|
||||
+ gnutls_cipher_hd_t ch;
|
||||
uint8_t key[16];
|
||||
const unsigned block_size = 8;
|
||||
|
||||
@@ -158,16 +158,14 @@ _gnutls_decrypt_pbes1_des_md5_data(const char *password,
|
||||
dkey.size = 8;
|
||||
d_iv.data = &key[8];
|
||||
d_iv.size = 8;
|
||||
- result =
|
||||
- _gnutls_cipher_init(&ch, cipher_to_entry(GNUTLS_CIPHER_DES_CBC),
|
||||
- &dkey, &d_iv, 0);
|
||||
+ result = gnutls_cipher_init(&ch, GNUTLS_CIPHER_DES_CBC, &dkey, &d_iv);
|
||||
if (result < 0) {
|
||||
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
|
||||
return gnutls_assert_val(result);
|
||||
}
|
||||
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
|
||||
|
||||
- result = _gnutls_cipher_decrypt(&ch, encrypted_data->data, encrypted_data->size);
|
||||
+ result = gnutls_cipher_decrypt(ch, encrypted_data->data, encrypted_data->size);
|
||||
if (result < 0) {
|
||||
gnutls_assert();
|
||||
goto error;
|
||||
@@ -184,7 +182,7 @@ _gnutls_decrypt_pbes1_des_md5_data(const char *password,
|
||||
|
||||
result = 0;
|
||||
error:
|
||||
- _gnutls_cipher_deinit(&ch);
|
||||
+ gnutls_cipher_deinit(ch);
|
||||
|
||||
return result;
|
||||
}
|
||||
--
|
||||
2.37.1
|
||||
|
||||
@ -13,7 +13,7 @@ print(string.sub(hash, 0, 16))
|
||||
}
|
||||
|
||||
Version: 3.7.6
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
# not upstreamed
|
||||
Patch: gnutls-3.6.7-no-now-guile.patch
|
||||
Patch: gnutls-3.2.7-rpath.patch
|
||||
@ -26,6 +26,7 @@ Patch: gnutls-3.7.6-ktls-disable-by-default.patch
|
||||
Patch: gnutls-3.7.6-ktls-fixes.patch
|
||||
Patch: gnutls-3.7.6-aes-gcm-pt-limit.patch
|
||||
Patch: gnutls-3.7.6-pkcs7-verify.patch
|
||||
Patch: gnutls-3.7.6-fips-pkcs12-des-cbc.patch
|
||||
|
||||
# not upstreamed
|
||||
Patch: gnutls-3.7.3-disable-config-reload.patch
|
||||
@ -360,6 +361,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Aug 4 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-5
|
||||
- Block DES-CBC usage in decrypting PKCS#12 bag under FIPS (#2115244)
|
||||
|
||||
* Fri Jul 29 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-4
|
||||
- Make gnutls-cli work with KTLS for testing
|
||||
- Fix double-free in gnutls_pkcs7_verify (#2109790)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user